on 04-10-2012 8:10 AM
Hi everybody,
I'm currently facing a problem reading group membership (attribute member) of large AD groups using the "From LDAP directory" pass. I know that there is a limitation on AD (maxValRange property in AD) which controls how many values are returned for one attribute when querying one entry. I also know, that it is possible to overcome this issue using SearchControls (e.g. ({"member;Range=1499-*"}) and increase this value in a loop).
Please be aware that this is NOT the "directory page size" in the pass configuraton, which has impact on the number of search results returned on one query.oes the default "From LDAP directory" pass support this kind of iteration?
Regards
Matthias Bartel
Hi Matt,
I'm not trying to query a subset of groups. I'm trying to query for exactly one group and read the attribute "member" of this group. That means, that I have mapped the attribute "member" in the Destination tab of the LDAP pass. As I mentioned above, there is a limitation on how many values are returned for one multivalue attribute. The question is now, if there is a possibility to overcome this limitation using the standard FromLDAP pass?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matthias,
You may have already tried this, but did you try putting the line you specified above
"using SearchControls (e.g. ({"member;Range=1499-*"}) and increase this value in a loop)"
into the LDAP repository search criteria? There are 2 standard filters, 1 for users and 1 for groups. What would happen if you put that in those fields.
As Chris has said, you should be able to do this with some standard LDAP syntax. You'll probably have to look into how paging is setup on the AD server. It's possible you might need to set up VDS as an intermediary to help simplify the query as well. Take a look at the VDS AD/LDAP tutorial for more information on setting this up. Once it's set you can set specific starting points in the VDS configuration that correspond to what you need to return.
Matt
Matthias,
I'm not quite sure what you're trying to ask here? The FromLDAP pass allows filtering using standard LDAP syntax. Can you query the subset of groups that way?
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.